I'm working on local server for Linux repositories. We have been using HTTPS without SSL Verification for establishing connection between the Server and the Agents. Are there really any differences between using HTTPS with SSL Verification turned off and using plain old HTTP?
Asked
Active
Viewed 1,148 times
1
-
1The purpose of certificate verification is to prevent MITM (Man-in-the-Middle) attacks. To verify the identity of the person you are talking with. – S.L. Barth Jun 27 '18 at 07:05
1 Answers
4
To extract sensitive information from plain old HTTP passive sniffing is sufficient and it is also possible to just passively capture the data and analyze later. To extract the same amount of information from SSL (HTTPS) an active man in the middle attack is needed in order to create a SSL connection between attacker and client and another one between attacker and server. Certificate validation just lets the client detect such an attack before any data gets transmitted, i.e. even if certificates are not properly validated the attacker still needs to do an active MITM attack and passively sniffing the encrypted data is not sufficient.
If such an active attack is actually harder than a passive sniffing depends on your specific environment.
Steffen Ullrich
- 190,458
- 29
- 381
- 434